CVE-2020-12641: Command Injection via “_im_convert_path” Parameter in Roundcube Webmail

A Command Injection vulnerability exists in Roundcube versions before 1.4.4, 1.3.11 and 1.2.10.

Because the "_im_convert_path" does not perform sanitization/input filtering, an attacker with access to the Roundcube Installer can inject system commands in this parameter that will execute when any user opens any email containing a "non-standard" image.

Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found here.

Requirements:

This vulnerability requires:

Access to the Roundcube Webmail installer component
Waiting for a Roundcube user to open an email containg a non-standard image

Proof Of Concept:

More details and the exploitation process can be found in this PDF.

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
README.md		README.md
Roundcube Disclosures - CVE-2020-12641.pdf		Roundcube Disclosures - CVE-2020-12641.pdf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

Roundcube Disclosures - CVE-2020-12641.pdf

Roundcube Disclosures - CVE-2020-12641.pdf

Repository files navigation

CVE-2020-12641: Command Injection via “_im_convert_path” Parameter in Roundcube Webmail

Vendor Disclosure:

Requirements:

Proof Of Concept:

About

mbadanoiu/CVE-2020-12641

Folders and files

Latest commit

History

README.md

README.md

Roundcube Disclosures - CVE-2020-12641.pdf

Roundcube Disclosures - CVE-2020-12641.pdf

Repository files navigation

CVE-2020-12641: Command Injection via “_im_convert_path” Parameter in Roundcube Webmail

Vendor Disclosure:

Requirements:

Proof Of Concept:

About

Topics

Resources

Stars

Watchers

Forks